When the sandbox attribute is set, the iframe content is treated as being from a unique origin, forms and scripts are disabled, links are prevented from targeting other browsing contexts and plugins are disabled.

When misconfigured sandbox attribute of an iframe on the same origin:

Compromised website in the iframe might affect the users in parent web application.

With a sandbox attribute containing both the allow-same-origin and allow-scripts flags, framed page can reach up into the parent and remove the sandbox attribute entirely.

Remediation

Avoid the usage of allow-same-origin and allow-scripts at the same time.